
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.8.3 release notes &#8212; Django 2.2.12.dev20200304094918 documentation</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Django 1.8.2 release notes" href="1.8.2.html" />
    <link rel="prev" title="Django 1.8.4 release notes" href="1.8.4.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 2.2.12.dev20200304094918 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.8.4.html" title="Django 1.8.4 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.8.2.html" title="Django 1.8.2 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.8.3">
            
  <div class="section" id="s-django-1-8-3-release-notes">
<span id="django-1-8-3-release-notes"></span><h1>Django 1.8.3 release notes<a class="headerlink" href="#django-1-8-3-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>July 8, 2015</em></p>
<p>Django 1.8.3 fixes several security issues and bugs in 1.8.2.</p>
<p>Also, <code class="docutils literal notranslate"><span class="pre">django.utils.deprecation.RemovedInDjango20Warning</span></code> was renamed to
<code class="docutils literal notranslate"><span class="pre">RemovedInDjango110Warning</span></code> as the version roadmap was revised to 1.9, 1.10,
1.11 (LTS), 2.0 (drops Python 2 support). For backwards compatibility,
<code class="docutils literal notranslate"><span class="pre">RemovedInDjango20Warning</span></code> remains as an importable alias.</p>
<div class="section" id="s-denial-of-service-possibility-by-filling-session-store">
<span id="denial-of-service-possibility-by-filling-session-store"></span><h2>Denial-of-service possibility by filling session store<a class="headerlink" href="#denial-of-service-possibility-by-filling-session-store" title="Permalink to this headline">¶</a></h2>
<p>In previous versions of Django, the session backends created a new empty record
in the session storage anytime <code class="docutils literal notranslate"><span class="pre">request.session</span></code> was accessed and there was a
session key provided in the request cookies that didn’t already have a session
record. This could allow an attacker to easily create many new session records
simply by sending repeated requests with unknown session keys, potentially
filling up the session store or causing other users’ session records to be
evicted.</p>
<p>The built-in session backends now create a session record only if the session
is actually modified; empty session records are not created. Thus this
potential DoS is now only possible if the site chooses to expose a
session-modifying view to anonymous users.</p>
<p>As each built-in session backend was fixed separately (rather than a fix in the
core sessions framework), maintainers of third-party session backends should
check whether the same vulnerability is present in their backend and correct
it if so.</p>
</div>
<div class="section" id="s-header-injection-possibility-since-validators-accept-newlines-in-input">
<span id="header-injection-possibility-since-validators-accept-newlines-in-input"></span><h2>Header injection possibility since validators accept newlines in input<a class="headerlink" href="#header-injection-possibility-since-validators-accept-newlines-in-input" title="Permalink to this headline">¶</a></h2>
<p>Some of Django’s built-in validators
(<a class="reference internal" href="../ref/validators.html#django.core.validators.EmailValidator" title="django.core.validators.EmailValidator"><code class="xref py py-class docutils literal notranslate"><span class="pre">EmailValidator</span></code></a>, most seriously) didn’t
prohibit newline characters (due to the usage of <code class="docutils literal notranslate"><span class="pre">$</span></code> instead of <code class="docutils literal notranslate"><span class="pre">\Z</span></code> in the
regular expressions). If you use values with newlines in HTTP response or email
headers, you can suffer from header injection attacks. Django itself isn’t
vulnerable because <a class="reference internal" href="../ref/request-response.html#django.http.HttpResponse" title="django.http.HttpResponse"><code class="xref py py-class docutils literal notranslate"><span class="pre">HttpResponse</span></code></a> and the mail sending
utilities in <a class="reference internal" href="../topics/email.html#module-django.core.mail" title="django.core.mail: Helpers to easily send email."><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.core.mail</span></code></a> prohibit newlines in HTTP and SMTP
headers, respectively. While the validators have been fixed in Django, if
you’re creating HTTP responses or email messages in other ways, it’s a good
idea to ensure that those methods prohibit newlines as well. You might also
want to validate that any existing data in your application doesn’t contain
unexpected newlines.</p>
<p><a class="reference internal" href="../ref/validators.html#django.core.validators.validate_ipv4_address" title="django.core.validators.validate_ipv4_address"><code class="xref py py-func docutils literal notranslate"><span class="pre">validate_ipv4_address()</span></code></a>,
<a class="reference internal" href="../ref/validators.html#django.core.validators.validate_slug" title="django.core.validators.validate_slug"><code class="xref py py-func docutils literal notranslate"><span class="pre">validate_slug()</span></code></a>, and
<a class="reference internal" href="../ref/validators.html#django.core.validators.URLValidator" title="django.core.validators.URLValidator"><code class="xref py py-class docutils literal notranslate"><span class="pre">URLValidator</span></code></a> are also affected, however, as
of Django 1.6 the <code class="docutils literal notranslate"><span class="pre">GenericIPAddresseField</span></code>, <code class="docutils literal notranslate"><span class="pre">IPAddressField</span></code>, <code class="docutils literal notranslate"><span class="pre">SlugField</span></code>,
and <code class="docutils literal notranslate"><span class="pre">URLField</span></code> form fields which use these validators all strip the input, so
the possibility of newlines entering your data only exists if you are using
these validators outside of the form fields.</p>
<p>The undocumented, internally unused <code class="docutils literal notranslate"><span class="pre">validate_integer()</span></code> function is now
stricter as it validates using a regular expression instead of simply casting
the value using <code class="docutils literal notranslate"><span class="pre">int()</span></code> and checking if an exception was raised.</p>
</div>
<div class="section" id="s-denial-of-service-possibility-in-url-validation">
<span id="denial-of-service-possibility-in-url-validation"></span><h2>Denial-of-service possibility in URL validation<a class="headerlink" href="#denial-of-service-possibility-in-url-validation" title="Permalink to this headline">¶</a></h2>
<p><a class="reference internal" href="../ref/validators.html#django.core.validators.URLValidator" title="django.core.validators.URLValidator"><code class="xref py py-class docutils literal notranslate"><span class="pre">URLValidator</span></code></a> included a regular expression
that was extremely slow to evaluate against certain invalid inputs. This regular
expression has been simplified and optimized.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Fixed <code class="docutils literal notranslate"><span class="pre">BaseRangeField.prepare_value()</span></code> to use each <code class="docutils literal notranslate"><span class="pre">base_field</span></code>’s
<code class="docutils literal notranslate"><span class="pre">prepare_value()</span></code> method (<a class="reference external" href="https://code.djangoproject.com/ticket/24841">#24841</a>).</li>
<li>Fixed crash during <a class="reference internal" href="../ref/django-admin.html#django-admin-makemigrations"><code class="xref std std-djadmin docutils literal notranslate"><span class="pre">makemigrations</span></code></a> if a migrations module either
is missing <code class="docutils literal notranslate"><span class="pre">__init__.py</span></code> or is a file (<a class="reference external" href="https://code.djangoproject.com/ticket/24848">#24848</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">QuerySet.exists()</span></code> returning incorrect results after annotation with
<code class="docutils literal notranslate"><span class="pre">Count()</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/24835">#24835</a>).</li>
<li>Corrected <code class="docutils literal notranslate"><span class="pre">HStoreField.has_changed()</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/24844">#24844</a>).</li>
<li>Reverted an optimization to the CSRF template context processor which caused
a regression (<a class="reference external" href="https://code.djangoproject.com/ticket/24836">#24836</a>).</li>
<li>Fixed a regression which caused template context processors to overwrite
variables set on a <code class="docutils literal notranslate"><span class="pre">RequestContext</span></code> after it’s created (<a class="reference external" href="https://code.djangoproject.com/ticket/24847">#24847</a>).</li>
<li>Prevented the loss of <code class="docutils literal notranslate"><span class="pre">null</span></code>/<code class="docutils literal notranslate"><span class="pre">not</span> <span class="pre">null</span></code> column properties during field
renaming of MySQL databases (<a class="reference external" href="https://code.djangoproject.com/ticket/24817">#24817</a>).</li>
<li>Fixed a crash when using a reverse one-to-one relation in
<code class="docutils literal notranslate"><span class="pre">ModelAdmin.list_display</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/24851">#24851</a>).</li>
<li>Fixed quoting of SQL when renaming a field to <code class="docutils literal notranslate"><span class="pre">AutoField</span></code> in PostgreSQL
(<a class="reference external" href="https://code.djangoproject.com/ticket/24892">#24892</a>).</li>
<li>Fixed lack of unique constraint when changing a field from
<code class="docutils literal notranslate"><span class="pre">primary_key=True</span></code> to <code class="docutils literal notranslate"><span class="pre">unique=True</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/24893">#24893</a>).</li>
<li>Fixed queryset pickling when using <code class="docutils literal notranslate"><span class="pre">prefetch_related()</span></code> after deleting
objects (<a class="reference external" href="https://code.djangoproject.com/ticket/24831">#24831</a>).</li>
<li>Allowed using <code class="docutils literal notranslate"><span class="pre">choices</span></code> longer than 1 day with <code class="docutils literal notranslate"><span class="pre">DurationField</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/24897">#24897</a>).</li>
<li>Fixed a crash when loading squashed migrations from two apps with a
dependency between them, where the dependent app’s replaced migrations are
partially applied (<a class="reference external" href="https://code.djangoproject.com/ticket/24895">#24895</a>).</li>
<li>Fixed recording of applied status for squashed (replacement) migrations
(<a class="reference external" href="https://code.djangoproject.com/ticket/24628">#24628</a>).</li>
<li>Fixed queryset annotations when using <code class="docutils literal notranslate"><span class="pre">Case</span></code> expressions with <code class="docutils literal notranslate"><span class="pre">exclude()</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/24833">#24833</a>).</li>
<li>Corrected join promotion for multiple <code class="docutils literal notranslate"><span class="pre">Case</span></code> expressions. Annotating a
query with multiple  <code class="docutils literal notranslate"><span class="pre">Case</span></code> expressions could unexpectedly filter out
results (<a class="reference external" href="https://code.djangoproject.com/ticket/24924">#24924</a>).</li>
<li>Fixed usage of transforms in subqueries (<a class="reference external" href="https://code.djangoproject.com/ticket/24744">#24744</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">SimpleTestCase.assertRaisesMessage()</span></code> on Python 2.7.10
(<a class="reference external" href="https://code.djangoproject.com/ticket/24903">#24903</a>).</li>
<li>Provided better backwards compatibility for the <code class="docutils literal notranslate"><span class="pre">verbosity</span></code> argument in
<code class="docutils literal notranslate"><span class="pre">optparse</span></code> management commands by casting it to an integer
(<a class="reference external" href="https://code.djangoproject.com/ticket/24769">#24769</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">prefetch_related()</span></code> on databases other than PostgreSQL for models
using UUID primary keys (<a class="reference external" href="https://code.djangoproject.com/ticket/24912">#24912</a>).</li>
<li>Fixed removing <code class="docutils literal notranslate"><span class="pre">unique_together</span></code> constraints on MySQL (<a class="reference external" href="https://code.djangoproject.com/ticket/24972">#24972</a>).</li>
<li>Fixed crash when uploading images with MIME types that Pillow doesn’t detect,
such as bitmap, in <code class="docutils literal notranslate"><span class="pre">forms.ImageField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/24948">#24948</a>).</li>
<li>Fixed a regression when deleting a model through the admin that has a
<code class="docutils literal notranslate"><span class="pre">GenericRelation</span></code> with a <code class="docutils literal notranslate"><span class="pre">related_query_name</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/24940">#24940</a>).</li>
<li>Reallowed non-ASCII values for <code class="docutils literal notranslate"><span class="pre">ForeignKey.related_name</span></code> on Python 3 by
fixing the false positive system check (<a class="reference external" href="https://code.djangoproject.com/ticket/25016">#25016</a>).</li>
<li>Fixed inline forms that use a parent object that has a <code class="docutils literal notranslate"><span class="pre">UUIDField</span></code> primary
key and a child object that has an <code class="docutils literal notranslate"><span class="pre">AutoField</span></code> primary key
(<a class="reference external" href="https://code.djangoproject.com/ticket/24958">#24958</a>).</li>
<li>Fixed a regression in the <code class="docutils literal notranslate"><span class="pre">unordered_list</span></code> template filter on certain
inputs (<a class="reference external" href="https://code.djangoproject.com/ticket/25031">#25031</a>).</li>
<li>Fixed a regression in <code class="docutils literal notranslate"><span class="pre">URLValidator</span></code> that invalidated Punycode TLDs
(<a class="reference external" href="https://code.djangoproject.com/ticket/25059">#25059</a>).</li>
<li>Improved <cite>pyinotify</cite> <code class="docutils literal notranslate"><span class="pre">runserver</span></code> polling (<a class="reference external" href="https://code.djangoproject.com/ticket/23882">#23882</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.8.3 release notes</a><ul>
<li><a class="reference internal" href="#denial-of-service-possibility-by-filling-session-store">Denial-of-service possibility by filling session store</a></li>
<li><a class="reference internal" href="#header-injection-possibility-since-validators-accept-newlines-in-input">Header injection possibility since validators accept newlines in input</a></li>
<li><a class="reference internal" href="#denial-of-service-possibility-in-url-validation">Denial-of-service possibility in URL validation</a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="1.8.4.html"
                        title="previous chapter">Django 1.8.4 release notes</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="1.8.2.html"
                        title="next chapter">Django 1.8.2 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.8.3.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Mar 04, 2020</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.8.4.html" title="Django 1.8.4 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.8.2.html" title="Django 1.8.2 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>